Bug report: top-level Javascript required for bookmarklets

Bug reports and enhancement requests
Post Reply
tw001
Posts: 3
Joined: Sun Mar 26, 2017 8:08 pm

Bug report: top-level Javascript required for bookmarklets

Post by tw001 »

Since I updated to the latest Firefox (version 52.0.1 but I may have skipped a version, OpenSUSE Linux) I can no longer use bookmarklets without activating Javascript for the top level of the site itself. I use a few bookmarklets very extensively so that this new behavior is really getting into the way. I tried to downgrade NoScript (eventually down to 5.0.1) assuming that the problem originated from the addon but it didn't solve the problem. So, I wonder if it has something to do with the interaction between Firefox and NoScript that can be solved to avoid that the top level has to be activated in order to use the bookmarklets.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Bug report: top-level Javascript required for bookmarkle

Post by barbaz »

Are you using the openSUSE distribution build of Firefox, or the official Mozilla build?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Bug report: top-level Javascript required for bookmarkle

Post by therube »

Examples (sources) of these bookmarklets?
Since I updated to the latest Firefox
Were you also using NoScript with the earlier FF versions?


Pretty sure it's not going to be unusual to have to allow the top-level domain if the bookmarklet is passing data on to a third party site. (Or is it that that third party site needs to be Allowed?)

So if you have an "imgur.com" bookmarklet & you want to "send" an image automatically to imgur, & you click your bookmarklet, quite possible that (& I forget) but either top-level domain, or imgur.com needs to be Allowed, kind of thing.

This:

Code: Select all

javascript:(function(){var unencodedURL=location.href;var websiteURL=encodeURIComponent(unencodedURL);var full=true;var length=full?'0':'600';var url='http://snapito.com/?url='+websiteURL+'&size=800x'+length+'&cache=-1';window.open(url,'Download','')})();
requires snapito.com to be Allowed, not necessarily the top-level domain of the page you're on.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46
tw001
Posts: 3
Joined: Sun Mar 26, 2017 8:08 pm

Re: Bug report: top-level Javascript required for bookmarkle

Post by tw001 »

I use the openSUSE built RPM -- currently 52.0.1-57.3.1

I have used FF and NoScript for many years. In fact, it happened once or twice before some years ago that NoScript would block javascript in bookmarklets. But one or two NoScript updates later it had always worked again.

I'm happy to show examples of the bookmarklets if that matters. But it seemed to me that the blocking was simply universal behavior. I agree that almost all websites seem to use javascript for good reasons so that activating the top level would make sense. But with javascript active comes always the possibility of finger printing etc., which should not be allowed unless I consent. Unfortunately, until now very few people seemed to care.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Bug report: top-level Javascript required for bookmarkle

Post by barbaz »

Does it work in the official Mozilla build, in a new profile created in the official Mozilla build?

If not, please post some example failing bookmarklets as therube requested.
*Always* check the changelogs BEFORE updating that important software!
-
tw001
Posts: 3
Joined: Sun Mar 26, 2017 8:08 pm

Re: Bug report: top-level Javascript required for bookmarkle

Post by tw001 »

Unfortunately, recent upgrades didn't make a difference: currently running Firefox 52.1.0 (openSUSE) and NoScript5.0.4.

If Javascript is not activated for the top-level of a website then the following bookmarklet does send the data to the server (localhost):

Code: Select all

javascript:function%20loadScript(scriptURL){var%20scriptElem=doument.createElement('SCRIPT');scriptElem.setAttribute('language','JavaScript');scriptElem.setAttribute('src',scriptURL);document.body.appendChild(scriptElem);}h=location.href;t=document.title;e=''+(window.getSelection?window.getSelection():document.getSelection?document.getSelection():document.selection.createRange().text);loadScript('https://localhost:8443/cgi-bin/bmtest.py?url='+encodeURIComponent(h)+'&tags=~openB%20%s&title='+encodeURIComponent(t)+'&notes='+encodeURIComponent(e).replace(/%20/g,'+')+'&cmd=reappend');
For testing purposes, I degraded Firefox. The most recent version where this bookmarklet works without having JS deactivated in NoScript for the top-level of a website was Mozilla Firefox 51.0.1. Version 52 doesn't work neither the RPM from the openSUSE update repository nor from the Mozilla repository!
Last edited by barbaz on Sat May 13, 2017 11:55 pm, edited 1 time in total.
Reason: wrap bookmarklet in code tags
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Bug report: top-level Javascript required for bookmarkle

Post by barbaz »

Thanks.

That specific bookmarklet should require several changes in NoScript -

1) It's injecting <script> tags into the page, thus the top-level site does need Allowed. Unfortunately such injected scripts are indistunguishable from the page's own scripts.

2) Because it is accessing LOCAL resources from a webpage, you need to add an exception to the default ABE rule. NoScript Options > Advanced > ABE > SYSTEM, add at the very top -

Code: Select all

Site https://localhost:8443/cgi-bin/bmtest.py?*
Accept
3) You also need to whitelist https://localhost:8443
Due to a bug in NoScript, that must be entered manually in NoScript Options > Whitelist.


The fact the bookmarklet did work before without any of these changes, looks like the NoScript bug to me.

So I'm not really sure what to make of this. Image
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Bug report: top-level Javascript required for bookmarkle

Post by barbaz »

offtopic: I just noticed a typo in your bookmarklet - "doument" should be "document". If I accidentally messed it up when editing your post, my apologies.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Bug report: top-level Javascript required for bookmarkle

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
Post Reply